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• Preamble 

• A Typical Risk Management Process 

• The Concept of Risk-informed Decision Making (NASA’s Perspective) 

ii 

• Some Key Concepts 

• Probabilistic Risk assessment (PRA) Overview 

• PRA Methodology Synopsis 

• PRA Results of a Real Space System 

• Summary 
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• Probabilistic Risk Assessment is a tool that can inform 
decisions during the entire lifecycle of a program/project 

- Risk analysis of decision alternatives in light of 
programmatic objectives (to support direction setting 
decisions) 

- Risk analysis of selected alternatives to set priorities (to 
support risk management decisions) 

• Probabilistic Risk Assessment can play a major role in 

- Design decisions and 

- Operation decisions 
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• identify - Identify program risk “issues” 

• Analyze - Estimate the likelihood and 
consequence components of the risk issues 

• Plan - Plan the Track and Control actions 


Track - Track and compile the necessary risk 
data, measuring how the RM process is 
progressing 



Control - Determine the appropriate Control 
action, execute the decision linked to that action, 
and verify its effectiveness 

Communicate and Document -communicating 
and documenting all risk information throughout 
each program phase 


Emphasis on 

• “management” of individual 
“risks” 

• monitoring and accountability for 
action items associated with 
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Relies heavily on the application of risk matrices 
Risk “issues” are mapped onto the matrix individually 



» 
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* Red » High Risk 
rallow » Medium Risk 
ureeo » l Q w Risk 

Risk Matrix Derived from Iso-Risk Curves 






Iso-Risk (Equal Risk) Curves 
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• A tool for communicating among cognizant and responsible entities 

• Presents summary information about the results of an analysis or 
assessment of particular risks, and places those results in the 
context of previously established action thresholds 

• The purpose of this communication is to coordinate the 
organizational risk management response 

- Which risks most urgently need management attention? 

- What risks are being elevated? 

- What risks are under control? 

• The risk matrix does not add new technical content to the discussion 
that should occur anyway. It only provides a familiar vehicle for 
conveying that content, it is riot an analysis tool : it is a tool that 
promotes efficiency in communication. 
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• Risks are displayed on a risk matrix in order to frame a discussion of 
the appropriate current risk management response to those risks 

• Traditionally, this has been done by color-coding the cells of the risk 
matrix, with “red” calling for significant attention, “green” implying 
that things are under control, and “yellow” in between. 

• The thresholds separating different-colored regions are necessarily 
specific to programs and organizations 

- Risk tolerance is different among different programs 

- Priorities are different among different programs 

• Therefore, the likelihood and consequence scales must be specific to 
the organizational and program context in which a given risk matrix is 
being used 

- They must be defined unambigously 
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• Evolved In the mid-1 990’s at Nuclear Regulatory 
Commission in the context of nuclear plant [safety] 
risk 

• Formulation of “risk-informed” may have been a 
reaction to overzealous advocacy of risk-based 
regulation: aggressively modifying [admittedly 
inefficient] traditional approaches to regulation, 
based on risk model results 
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• A risk-informed decision-making process that uses a diverse 
set of performance measures (some of which are model-based 
risk metrics) along with other considerations within a 

deliberative process to inform decision making. Paragraph a.i 4 
of NASA NPR 8000.4A 

Note to Paragraph A.I 4: A decision-making process relying primarily on 
a narrow set of model-based risk metrics would be considered “ risk- 
based . ” 

• Decisions are informed by an iotegratecl risk perspective 

rather than being informed by a set of individual “risk” 
contributions whose cumulative significance is not 
understood 
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• RIDM is a structured process aimed at achieving success by proactively 
risk-informing the selection of decision alternatives. 

• RIDM tries to foster development of the most robust technical basis for 
decision-making 

- Couples the attributes of the proposed decision alternatives to the objectives 
that define success; 

- Considers all attributes of significance to the stakeholders in an integrated 
manner: technical, safety, schedule and cost; 

~ Helps ensure that a broad spectrum of decision alternatives are considered; 

- Involves quantitative assessment of the merits and drawbacks of each 
proposed decision alternative relative to the stated objectives; 

- Accounts for the uncertainties inherent to each proposed decision alternative 
to the extent that they impact the achievement of the stated objectives; and 

- Communicates the quantitative assessment of the proposed decision 
alternatives into the decision environment, where it is deliberated along with 
other considerations to form a comprehensive, risk-informed basis for 
alternative selection 

* Deliberative process intended to capitalize on tacit organizational 
knowledge after the analysis / modeling stage 
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• The latest version of NPR 8000.4A, Agency Risk Management 
Procedural Requirements, was issued on December 16, 2008 

- Accessible from NASA Online Directives System (NODIS) Library 

- http://nQdis3.qsfc,nasa.gov/displavDir.cfm?t=NPR&c~8Q00&s=4A 

• This directive evolves NASA’s Risk Management (RM) approach to 
entail two complementary processes: 

- Risk-informed Decision Making (RIDM) 

• Emphasizes the proper use of risk analysis in its broadest sense to make risk informed 
decisions that impact all mission execution domains (e.g., safety, technical, cost, and 
schedule) 

♦ Formulates recommendations for performance requirements 

- Continuous Risk Management (CRM) 


Focuses on the management of risk associated with implementation of baseline 
performance requirements 
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- Identification of decision alternatives 
(decision context) and considering a 
sufficient number and diversity of 
Performance Measures 

- Risk analysis of decision alternatives 
(uncertainty analysis of performance 
associated with the alternative 


- Selection of a decision alternative 
informed by (not solely based on) Risk 

Analysis Results 



To Performance Requirements Development 

SStiii 


CRM 
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CRM is conducted in the 
context of performance 





Steps in the CRM Process 


Identify 

Identify Risk Contributors (Shortfall in Performance 
Relative to Baseline Performance Requirements) 


m 

|| 
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CRM Process 



Effectiveness of Mitigation Plans: Make Adjustment 
' to the Plans, and Execute Control Measures 
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rformance Measures and Performance Objectives 

A Performance Measure is a metric used to quantify the extent to which 
a Performance Objective is fulfilled 

- Safety (e.g., avoidance of injury, fatality, or destruction of key assets) 

- Technical (e.g., increase thrust or output, maximize amount of observational data 
acquired) 

- Cost (e.g., execution within minimum cost) 

- Schedule (e.g., meeting milestones) 

Examples of Performance Objectives and corresponding Performance 
Measures 


- Maintain Astronaut Health -> 

- Minimize Cost 

- Maximize Payload Capability -> 

- Maximize Public Support -> 


Probability of Loss of Crew (P(LOC)) 
Cost ($) 

Payload Capability (kg) 

Public Support (1 - 5) 


An Imposed Constraint is a limit on the allowable values of the 
Performance Measure with which it is associated 


- Example: A hard limit on minimum acceptable payload capability 
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• The term “risk”, when used without further qualifications, is very 
general and applies to a large variety of user contexts 

• In general, risk is uncertainty regarding the future outcome of an 
undertaking of some kind: a decision alternative, a project, a launch, 
etc. 

• In the context of mission execution, risk is the expression of the 
potential for performance shortfalls, which may be realized in the 
future, with respect to achieving explicitly, established and stated 
performance requirements 

- The performance shortfalls may be related to any one or more of 
the following mission execution domains: 

• Safety 

• Technical performance 

• Cost 

• Schedule 
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A performance commitment is a performance measure value 
set at a specified percentile of the performance measure’s pdf 
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• The “triplet” concept of “risk” is operationally useful for 
defining, analyzing, and managing risk 

- The scenariofs ) leading to degraded performance with 
respect to one or more Performance Measures (e.g., 
scenarios leading to injury, fatality, destruction of key 
assets; scenarios leading to exceedance of mass limits; 
scenarios leading to cost overruns; scenarios leading to 
schedule slippage); 

- The likelihood(s) of those scenario(s); and 

- The consequence(s) (severity of the performance 
degradation) that would result if the scenario(s) was (were) 
to occur 
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• In general, it can be difficult to assess decision alternatives against multifaceted 
and/or qualitative top-level objectives 

• To deal with this situation, objectives are decomposed, using an objectives 
hierarchy (OH), into a set of lower-level performance objectives that any attractive 
alternative should have 


• A performance measure is then developed for each performance objective, as the 
quantity that measures the extent to which a decision alternative meets the 
performance objective 


Top-Level 

Objectives 




1 

i; 
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Notional Objectives Hierarchy 



* Objectives are decomposed 
into quantifiable Performance 
Measures 


• Some Performance Measures 
may have Imposed Constraints 


• Some Performance Measures 
are unconstrained but have a 
desirable direction of 
goodness 
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Objectives Hierarchy 


• Explain what is meant by 
the higher-level objective 

• Partition the higher-level 
objective into its constituent j 
parts 

• Don’t impose a solution; 

• Are structured in a hierarchy: 

Means Objectives Network 



(Fundamental) Objectives Hierarchy 


Maximize 
r Safety ^ 


Maximize Use of Minimize 

Vehicle-Safety Features Accidents 





Are ways of accomplishing 
higher-level objectives 
May relate to multiple 
higher-level objectives; 
Imply a solution; 

Are structured in a network 


Motivate Purchase of 
Vehicle-Safety Features 


Require Safety 
Features 


Educate Public 
about Safety 


Maintain Vehicles 



Maximize Driving 
Quality 


Enforce 
Traffic Laws 


Have Reasonable 
T raffic Laws 


Minimize Driving under 
Influence of Alcohol 


Means Objectives Network 
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Alternative design solutions 
are generated as part of the 
Systems Engineering 
process 


Low-fidelity feasibility 
assessment (e.g., first-order 
analysis, engineering 
judgment) is used to prune the 
trade tree and narrow the set 
of alternatives to analyze 
further 


Scienfe Orbrterfar 
COifec^lciPl of Atrfj&sphenc : 
- Data at Planet X \ 
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• Goal: to develop a risk analysis framework that integrates domain-specific 
performance assessments and quantifies the performance measures 

- Risk Analysis - probabilistic modeling of performance 


Uncertain Conditions 


Probabilistically - Determined 
Outcomes 



of an Alternative 

ililMllil 

• Technical Risk ' 
•Cost Risk 

• Schedule Risk 




* Performance measures depicted for a single alternative 


• The challenge is to establish a transparent framework that: 

- Operates on a common set of performance parameters for each alternative 

- Consistently addresses uncertainties across mission execution domains and across 
alternatives 

- Preserves correlations between performance measures 


Presented by Homayoon Dezfulh Ph.D. 

Credit: See the acknowledgment statement on the first page 


29 



Setting the risk analysis framework (alternative specific) 



Performance • Performance 


Performance 



Presented by Homayoon Dezfufi, PhD. 

Credit: See the acknowledgment statement on the first page 

















• Detailed domain-specific analysis guidance is available in domain- 
specific guidance documents like the NASA Cost Estimating 
Handbook, the NASA Systems Engineering Handbook, and the 
NASA Probabilistic Risk Assessment Procedures Guide 


• Depending on project scale, life cycle phase, etc., different levels of 
analysis are appropriate. The rigor of analysis should be enough to: 

- Assess compliance with imposed constraints 

- Distinguish between alternatives 

• Iteration is to be expected as part of the analysis process, as 
analyses are refined and additional issues are raised during 
deliberations 
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• Performance Commitments 

- A performance commitment is a performance measure value set at a 
specified percentile of the performance measure’s pdf 

- Performance commitments help to anchor the decision-maker’s 
perspective to specific performance expectations for each alternative 

- For a given performance measure, the performance commitment is set 
at the same percentile for all decision alternatives 


- Performance commitments support 

a risk»riorrriaiized comparison of 
decision alternatives, at a level of 
risk, tolerance determined by the 
decision maker 
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Develop Risk-Normalized Candidate Performance C< 


litments 


Risk Analysis is Conducted j 
on Alternatives A, B and C j 


- — I Set PM Ordering and ^ ( Candidate Performance Commitments 
Candidate PM Risk Tolerances j defined at Candidate PM Risk Tolerances 


e@ Commitments facilitate comparison of performance 
across a range of risk tolerances 


Alternative 

A 


Alternative 
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/ Probability of not 
meeting “high-risk” 
candidate 
\ performance 
\ commitment 
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RIDM Process — Part 3 

Performance Commitments are to be Developed in a Conditlona 

s aol llwi 1 


Pres 

Cred 



a. Risk analysis output for Alternative i 



c - performance commitment set at the 
specified/ risk tolerance, given compliance 
with PM f performance commitment 


PM t Risk 



Performance 

Commitment 


b. PM f performance commitment 
set at the specified risk tolerance 



d. Performance commitments for PM t 
and PM » given the specified PM risk 
tolerances and PM ordering 




Summary of How the Concept of Performance Commitment 



• The inputs to performance commitment development are 

- The performance measure pdfs for each decision alternative 

- An ordering of the performance measures 

- A risk tolerance for each performance measure, expressed as a 
percentile value 

• The decision alternatives are compared by the decision maker in terms 
of candidate performance commitments that have the same failure 
probability across alternatives 

- Example (“Low” risk tolerance on previous slide): 

• Alternative B is best at the “low” risk tolerance setting (and Alternative 
A does not satisfy the imposed constraint) 

• Alternative A has the best reliability at the “low” setting 

• Alternative C has the best Cost & Schedule performance at the “low” 
setting 

• The approach focuses DM attention on the level of program risk being 
assumed by selection of a given alternative at given commitment levels 
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Risk-informed 
Selection Report 
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The perturbation □ Mitigative 

□ Aggravating 


Consequence of 
interest to decision- 
maker 


A risk scenario contains an IE and (usually) one or more pivotal events 
leading to an undesired end state. 
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• Risk is a set of triplets <S t , P is Cj> that 
answer the questions : 

What can go wrong? (scenarios, Sj) 

How likely is it? (probabilities, Pj) 

What are the consequences? (adverse 
effects, Cj) 


Kaplan Garrick , Risk Analysis, 1981 



Scenario 

Probability 

Consequence 

Si 

Pi 
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S 2 

Pi 
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RISK s 
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Examples of Hazard and Risk 




- Hazard: Hydrazine is a hazard because it can result or 
contribute to loss of spacecraft 


- Risk: The risk scenario of <Hydrazine leakage AND not 
detecting the leakage AND damaging flight critical 
avionics> has probability of 1 in 10,000 to result in a loss 
of spacecraft 
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* In between IE and end states 


- Represent 


• successes or failures of 
system/crew responses to 


the IE 


• occurrence or non- 
occurrence of external 
conditions or phenomena 

- Mitigative: reduces the 
severity of a consequence 


Hydrazine leaks and 
Leak is not isolated and 
Damage to flight critical avionics 




Aggravating: increases the 
severity of a consequence 


Loss of Spacecraft 
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• A risk scenario is in effect a conditional statement. 

• It is a logical expression that has the following structure: 


Occurrence of certain event(s) —> undesired end state 


IF (IE n Pivotal Event 1 n Pivotal Event 2 n THEM undesired end 
state is reached 

Where , n for “and” 

• A risk scenario is often characterized by a minimum set of events. In 
this case, the undesired end state can be prevented if 

- the IE does not occur <or> 

- one or more pivotal events do not occur 
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Events: Building blocks of a scenario 

- declarative sentences used to characterize a scenario 

Each event is a statement about a piece of equipment, a function, a 
condition, an outcome, etc. 

- It is binary: Can only have two mutually-exclusive states (True or 
False), 

- Example: 


Leak is not detected 
(Failure Space) 


True Leak is not detected 


False Leak is detected 


Leak is detected 
(Success Space) 


True 

Leak is detected 


False 

Leak is not detected , 


Presented by Homayoon Dezfuii, Ph.D. 

Credit: See the acknowledgment statement on the first page 


45 







Presented by Homayoon Dezfufi, Ph.D. 

Credit: See the acknowledgment statement on the first page 




46 


JO . 

.9 Si 

•WjyJl jj»»* 4 

^c^c5afcii 






















• If the PRA model is to be used to support decision making, then it 
should be structured to suit this purpose 

• The performance measures (PMs) are defined according to decisions 
being supported 

• Identification of PMs is the starting point of the PRA process 

- They should serve the evaluation of decision options 

- Ultimately they should be quantified 

• Examples of PMs: 

- P(loss of life or injury / illness to crew) 

- P(damage to, or loss of, equipment or property) 

- P(evacuation) 

- P(failure of mission) 

- P(damage to environment) 
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• Development of a comprehensive scenario set for a complex facility 
or mission is a team effort because of 

- the volume of work and 

- diversity of technical discipline involved 

• PRA requires detailed knowledge of responses to perturbations 

• PRA analysts require an in-depth knowledge of the system and how it 
operates. 

- knowledge of system dependencies; 

- knowledge of system operability states 

• Knowledge of “How it Fails” is derived from “How it Works” 

• PRA team should include system experts 
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• Hierarchical (Top-Down) method for obtaining initiating event groups 

(CLASS OF THINGS THAT CAN GO WRONG?) 

• The highest level of hierarchy is the end state of interest 

• Intermediate levels identify systems and subsystems (e.g., thruster 
module fails) 

• Lower levels identify component assemblies and initiating event 
categories (e.g., filter clogs or propellant leaks) 

• Master Logic Diagram is completed when further breakdown 
produces same system responses as higher level 

• An important consideration in the development of a useful MLD is 
knowing when to stop at a reasonable level 

• The “pinch point” occurs when every level below the stopping level 
has the same consequence as the level above it 
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• ESD is useful for identifying accident scenarios 

• The method uses forward logic 

• An ESD is developed for each initiating event category in the Master 
Logic Diagram 

• Most engineers find ESDs intuitive and easy to understand: 

- Used for communication between PRA analysts and system 
engineers 

• Events may be ordered to reflect dependence: 

- Later events depend on earlier events 

• Similarities in system response indicate that different initiating events 
can be combined 

• Scenario modeling is not typically accomplished in a single pass 
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Propellant tank 

The spacecraft is designed with two redundant sets 
of thrusters (independent of each other) 

Each propellant distribution module consists of a 
hydrazine tank, filters, distribution lines, normalfy- 
open isolation valves, sensors, heaters, etc. (only 
components that affect mitigation of leaks are 
shown) 

When thruster operation is needed, the controller 
opens the solenoid valves (not shown) to allow 
hydrazine to flow 

The controller monitors the pressure of feed-lines 
via pressure transducers (PI and P2). It is 
designed to differentiate between the normal 
thruster operation and a leak 

In the event of a leak, isolation valves (VI and V2) 
should both close 

Successful termination of the leak leads to the loss 
of one but not both, thruster sets 

Failure to terminate the leak can cause damage to 
the flight critical avionics and/or damage to 
scientific equipment: 

• Hydrazine acts as a wire stripper and is 
corrosive 



Simplified Schematic of Propellant 
Distribution Module 
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Leak detected 
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Most popular way to “map” component level failure information to 
system level” failure information 

It is a “top-down” analysis 

Used to analyze initiating or pivotal events in terms of more detailed 
causal events eu ’ 

Breakdown continues until either 
- data are available for quantification, or 

Scope of work dictated level of disaggregation. 

ioCS' y ’ th ® '° W ® St level (called “ basic event ” level) is the largest 
level of assembly for which data are available 
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PRIMARY EVENT SYMBOLS 



BASIC EVENT - A basic initiating fault requiring no further development 



CONDITIONING EVENT - Specific conditions or restrictions that apply to 
any logic gate (used primarily with PRIORITY, AND and INHIBIT gates). 



UNDEVELOPED EVENT - An event which is not further developed either 
because it is of insufficient consequence or because information is unavailable. 



HOUSE EVENT - An event which is normally expected to occur. 
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TRANSFER SYMBOLS 


/ \ TRANSFER IN - Indicates that the next tree is developed further at the occurrence of the 

/ \ corresponding TRANSFER OUT (e.g. on another page) 



TRANSFER OUT - Indicates that this portion of the tree must be attached at the 
corresponding TRANSFER IN 
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GATE SYMBOLS 



AND - Output fault occurs if all of the input faults occur. 



l|pjf 


OR - Output fault occurs if at least one of the input faults occur. 


COMBINATION - Output fault occurs if n of the input faults occur. 



EXCLUSIVE OR - Output fault occurs if exactly one of the input faults 
occurs. 



PRIORITY AND - Output fault occurs if all of the input faults occur in a 
specific sequence. The sequence is represented by a CONDITIONING 
EVENT dr awn to the right of the gate. 

INHIBIT - Output fault occurs if the (single) input fault occurs in the 
presence of an enabling condition. The enabling condition is represented by a 
CONDITIONING EVENT drawn to the right of the gate. 
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• The primary reason for logic-based decomposition of IEs or pivotal 
events into more detailed causal events (primary events) is the 
identification of cut sets 

• Cut set: A set of primary events whose simultaneous occurrence 
guarantees the occurrence of the top event (pivotal event) 

• Minimal cut set: A cut set containing the minimum subset of primary 
elements whose simultaneous occurrence guarantees the occurrence 
of the top event 

- If one were to remove one of the events in a minimal cut set, the 
top event would not occur 
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G2 = PI n P2 
G1 = CN u PP u G2 



Presented by Homayoon Dezf uii, Ph,D, 

Credit: See the acknowledgment statement on the first page 






| Leak no* 
isolated 


GI1 



GI2 



GI1 = Lu GI2 

Gi2 = /Ln GI3 

GI3 = VI u V2 u ON 

Gi2 = /Ln (VI uV2u CN) 

G12 = (/LnV1)u (/L n V2) u (/L n CN) 

GI1 = Lu (/L nV1)u(/Ln V2) u (/L n CN) 


Minimal cut sets 

Luj/Ln VI) u (/L n V2) u (/L n CN) 


, Leek source | 
downstream of } 
i fsctetion valvess l 

; IsoL valve i fail l 
j to dose on ! 
| demand j 

i 7 ; .. ' •' i 

, Controller fails ! 

1 Isol. valve 2 fail 
j to close oft 
i demand 

j Leak source ' : 

upstream of 
i f isolation valves ; 

777 

7~~7 

777 

77 

/7/V 


■: vi ; 

! Ofvt ; 

!; m i 


V J 


717 

7_;7 

7117 


Presented by Nomayoon Dezfuli, Fh,0. 

Credit: See the acknowledgment statement on the first page 










Hydrazine leaks 

Leak detected 

Leak isolated 

No damage to 
flight critical 
avionics 

No damage to 
scientific 
equipment 


fE 

LD 

U 

A 

S 


/ LD = CNuPPu (PI n P2) 


Risk 

Scenario 


Loss of science 2 1 


Loss of science : 5 1 




loss of science 8 1 

o 

4 

Y' 

/A1 j 


ONE-TO-MANY MAPPING 

As defined in Event Mapping to basic events 

Tree 

IEnLDnLIn/Al lEnLDnLIn/Al 
IEnLDn/LIn/A2 IEnLDoLn/A2 

IEnLDn/Ln Vln/A2 
IEnLDn/Ln V2n/A2 


IEn/LDn/A2 


jiEo ID v I..nCNn/'A2j 
IE n CN r\ A2 j~ 

IEnPPn/A2 / 
iEnPlnP2n/A/ 


Can this scenario occur? 


Presented by Homayoon Dezfuli, Ph.D, 

Credit: See the acknowledgment statement on the first page 


/LI = L u (/ L nV1)u(/Ln V2) u (/ L n CN) 







Hydrazine leaks 

Leak detected 

Leak isolated 

No damage to 
flight critical 
avionics 

No damage to 
scientific 
equipment 

End state 

IE 

LD 

LI 

A 

S 



• • 


intuitively the 
likelihood of /A1 
should be smaller 
than IA2 





1 

2 

3 

4 

5 

6 



Presented by Homayoon Dezfuli, Ph.D. 

Credit: See the acknowledgment statement on the first page 


72 




X®6i*S 














Presented by Homayoon Dezfuli, Ph.D, 

Credit: See the acknowledgment statement on the first page 


73 


■mmm 


WWWHf 








• Hardware failure: failure mode(s) of hardware components 

- Example: isolation valve fails to close on demand 

• Software failure 

- Example: controller program fails to generate isolation signal due 
to a software error 

• Phenomenological: a sequence of physical, chemical or biological 
events 

- Example: Propellant Leak damages critical wire harnesses for 
avionics 

• Human error: omission or commission errors 

- Example: Crew fails to isolate the leak after automatic isolation 
fails 

• Common cause failure (CCF): Failure of multiple components due to 
common physical environment or human interaction 

- Example : common cause failure of both pressure transducers 
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• Events appear in the structure of scenarios are treated as uncertain 
quantities for which we need probability estimates. Sources of data: 

- Hardware 

• Historical data on a similar piece of equipment 

- General engineering knowledge about the equipment or an 
expert's experience with the equipment 

- Phenomenological 

• Experimental and simulation models 

• Expert judgment 

- Human error 

• Simulator data 

• Actuarial data 

• Expert judgement 

- Common cause failure 

• Parametric models (e.g., beta factor) 
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of Reliability Models to obtain 
mates (an example) 



• The simplest and widely-used model based on the assumption of exponential 
time-to-failure 

• Probability of failure: 


Plf (t)=l-e u 


Example: assume A, = 0.001 per hour 

the probability that the device will fail 
before t=10Q0 hours is 

1- exp(-1)=0.632 

the probability that the device works for 
at least 1000 hours is 

1-0.632=0.368 
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1.0E-03 2.08-03 3.0E-03 5.0&-03 8.0E-03 

Failure Rate (Uncertain Variable) 


Lognormal Distribution 

X <* 0.00026661 X <» 0.0024005 



Typical uncertainties are associated with 

• Numerical values of the parameters used in the model 

• Inherent variability of stochastic processes 
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• The types of information available for the frequency of basic events 
include: 

- prior knowledge such as general engineering knowledge and the 
historical information from similar events, 

- the observed data for the event of interest in the system under 
study 

• The Bayesian approach provides a formal mechanism for combing all 
available information, such as engineering and qualification test data, 
filed experience, expert judgment, and data from similar systems 
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We are uncertain about the value of 
parameter(s) used to model occurrence 
probability of each event in the right 

• Example: We are uncertain about the value of 
the failure rate X that we assumed in the 
exponential failure model of Event “CN” 


Pr(CN) = 1 - e~ w 

• We use log normal distribution to characterize 
our uncertainty for X CH 

• Because X CN is uncertain, Pr(CN) would 
become uncertain. 

Each distribution defined in the right 
represents the uncertain^ in the occuirence 
probability ofthe event as a result of 
uncertainty in the value of a parameters) that 
is used to generate the probability 


We assumed ail events are 
log-normally distributed 
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Probability Distribution for Loss of Vehicle 
(Scenarios 3, 6, and 9) 



Frequency Values in 10 A -3 


Presented by Homayoon Dezfuli, Ph.D. 

Credit: See the acknowledgment statement on the first page 






• One scenario dominates the risk 

- leak occurs upstream of isolation valves. Because it is not 
isolable it can damage critical avionics 

- Contribution to risk: 97% 

• Options to reduce risk 



Structure of Dominant Scenario 

IE: 

Leak 

occurs 

Leak occurs 
upstream of 
isolation valves 

Leak damages 
critical avionics 

Frequency 

OPTIONS 

IE 

L 

/A 2 

Do nothing 

0.01 

0.1 

0.1 

1.0E-4 

Option 1 : Reduce the likelihood 
of leak between the propellant 
tank and isolation valves (e.g.. 
change in piping design) 

0.03 

(see note below) 

0.1 

5.0E-5 

Option 2: Reduce susceptibility 
of avionics to leak (e.g., rerouting 
of wires and fortify wire 
harnesses) 

0.01 

0.1 

0.0 1 

1 .0E-5 

F (see note below) ; 

Option 1 and 2 

0.01 


0.01 

5.0E-6 

Note: The numerical values shown in this table are hypothetical. 
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• Quantifies performance measures 

- Probability of Loss of Crew (LOC) 

- Probability of Loss of Mission (LOM) 

- PRA metrics are integral risk metrics 

• Captures dependences and other relationships between sub-systems 

• Works within a scenario-based concept of risk that best informs 
decision-making 

- Identifies contributing elements (initiating events, pivotal events, 
basic events) 

- Quantifies the risk significance of contributing elements, helping 
focus on where improvements will be effective 

- Provides a means of re-allocating analytical priorities according to 
where the dominant risk contributors appear to be coming from 

- Provides a framework for a monitoring / trending program to 
detect risk-significant adverse trends in performance 
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• Quantifies uncertainty and ranks contributors to uncertainty 

• Supports trade studies by quantifying 

- The most goal-related metrics 

- System interfaces and dependencies 

- Responses to system and function challenges 

- Effects of varying performance levels of different systems 

• Can be a powerful tool when used to assist decision-making 
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Non-Critical End States 
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